Download presentation
Presentation is loading. Please wait.
1
Dan Harkins Trapeze Networks
July 2003 Naming Cached PMKs Dan Harkins Trapeze Networks Dan Harkins, Trapeze Networks
2
July 2003 Current PMK Caching Supplicant sets a “cached PMK” bit in the RSN Capabilities bitfield in the RSN IE in the associate request. Authenticator sends associate response and Begins 4-way handshake if it has a cached PMK for the supplicant Begins 802.1X authentication if it does not have a cached PMK for the supplicant Dan Harkins, Trapeze Networks
3
July 2003 Current PMK Caching Relies on no ambiguity on which PMK to use in the 4-way handshake Problematic to use for fast handoff Proactive (push) techniques can provide an AP with a PMK for the supplicant prior to the associate request being received Reactive (pull) techniques can allow the AP to retrieve a PMK for the supplicant This can introduce ambiguity! Dan Harkins, Trapeze Networks
4
July 2003 Name Cached PMKs! pmkname = HMAC-SHA1-128(PMK, “Key Identifier” | AP-mac | STA-mac) If supplicant sets “cached PMK” bit in associate request, a list of pmknames, and the number of pmknames, is appended to the request. If authenticator has one of the named PMKs in the list it appends the pmkname to the first message of the 4-way handshake. Dan Harkins, Trapeze Networks
5
Name Cached PMKs! Semantics: use PMK named by “dbnier7owfurn7w”
July 2003 Name Cached PMKs! I have cached PMKs: fjkdkleifjcjd8w2 984oeruwonwru dbnier7owfurn7w 8qo8awq8t348h4 dbnier7owfurn7w Semantics: use PMK named by “dbnier7owfurn7w” in the 4-way handshake Dan Harkins, Trapeze Networks
6
Advantages of Naming Cached PMKs for fast handoff
July 2003 Advantages of Naming Cached PMKs for fast handoff No new key hierarchies No new service primitives No new PRFs No new key exchanges No new management frames Minimal, simple, change to existing mechanisms– add a list, append a blob Dan Harkins, Trapeze Networks
7
Advantages of Naming Cached PMKs for Fast Handoff
July 2003 Advantages of Naming Cached PMKs for Fast Handoff Can work with any scheme for distributing PMKs IAPP Neighbor graphs It doesn’t matter how the PMK got there, just that it got there. Protocol does not assume existence of PMKs. Either side can delete a PMK from its cache for any reason and at any time. Dan Harkins, Trapeze Networks
8
Advantages of Naming Cached PMKs for Fast Handoff
July 2003 Advantages of Naming Cached PMKs for Fast Handoff STA authenticates to A, hibernates and wakes up at D where it authenticates again. PMKs were delivered by AS to B and E for first authentication and different PMKs were delivered to B and E for the second. The STA will assert both when it moves to B. A B C E D Dan Harkins, Trapeze Networks
9
Advantages of Naming Cached PMKs for Fast Handoff
July 2003 Advantages of Naming Cached PMKs for Fast Handoff B will select one and initiate the 4-way handshake. If the STA moves to C it will again assert two named PMKs. Depending on the neighbor graph C may have one– in which case C will chose it– or none– in which case C will begin 802.1X authentication of the STA. A B C E D Dan Harkins, Trapeze Networks
10
Advantages of Naming Cached PMKs for Fast Handoff
July 2003 Advantages of Naming Cached PMKs for Fast Handoff Can work with any scheme for deriving AP-specific PMKs. Is independent of whatever key hierarchy may be defined. It doesn’t matter how the key was derived as long as the STA and AS are using the same technique. AP is out-of-the-loop and therefore the protocol does not care. Dan Harkins, Trapeze Networks
11
Advantages of Naming Cached PMKs for Fast Handoff
July 2003 Advantages of Naming Cached PMKs for Fast Handoff Can be used with PSKs too! Dan Harkins, Trapeze Networks
12
July 2003 Discussion Dan Harkins, Trapeze Networks
13
Motion! Insert changes described in 03/484-r1 to draft. July 2003
Dan Harkins, Trapeze Networks
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.